Solved: ASA 5505 identity nat

Mary Poppins · ‎02-20-2016

Dear All,

I have an ASA 5505, and I would like to ask what is the purpose of the identity nat? I understand that it replace the real ip to the same ip for the mapped ip. For example I have an asa and 2 inside network (sub1 and sub2), and if I want that the sub1 clients communicate into the other sub2, it is enough to make an access rule which accept that traffic. Because the two subnet are direct connect to the ASA, and it knows where to route the traffic. (however if the second subnet would be beyond an another router, or one of subnet's default route not the ASA, then necessary to apply a nat).

So my question: is it enough to make this kind of scenario without identity-nat, or is it not elegant and maybe not working in some situation?

thank you very much

Marius Gunnerud · ‎02-22-2016

The NAT requirement for traffic to pass through the ASA was removed completely in 8.4 and was disabled by default in 8.2, so NAT should not be necessary for LAN to LAN traffic between interfaces on the ASA. The only time you would possibly need to use identity NAT for inside to inside traffic could be if you need to access a webserver located on the local LAN via its public IP. There may be other reasons but this is the most common.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-21-2016

I did not really understand your scenario.

The identity NAT translates the source IP to itself so it maintains its IP through the ASA when there are dynamic NATs present on the ASA.

An example of use for identity NAT would be for a site to site VPN or remote access VPN. The identity NAT prevents the traffic from being translated and maintains the source IP when the traffic leaves the ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mary Poppins · ‎02-22-2016

Thank you for your kindness.

I'm not so familiar with asa. And when I created the network object nat rules, I always define the egress interface as well:

nat (inside, outside)...

With this configuration nat occures only if the traffic flows to the internet via the outside interface. This makes me confused, should I use identity-nat for traffic flows inside to inside (i have more inside interfaces)... But as you said, it is necessary for vpn, and situations when I want to skip nat for machines/networks which is already dynamic NATed. If am I right..

thank you

Marius Gunnerud · ‎02-22-2016

The NAT requirement for traffic to pass through the ASA was removed completely in 8.4 and was disabled by default in 8.2, so NAT should not be necessary for LAN to LAN traffic between interfaces on the ASA. The only time you would possibly need to use identity NAT for inside to inside traffic could be if you need to access a webserver located on the local LAN via its public IP. There may be other reasons but this is the most common.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Mary Poppins · ‎02-23-2016

It is clear now.

Thank you very much for your help!

Have a nice day!